Developing a Compliance-Driven Framework
By Edward Smith Director, Security Solutions, Forsythe Solutions Group, Inc.
For years, IT departments have implored company executives to take security seriously, to little effect. Worst case, execs figured, IT would have to fight off a few worms and viruses. Big deal.
But now that the government can fine companies for their security lapses, corporate leaders are paying better attention. Although some organizations are currently exempt from regulatory provisions, including Sarbanes-Oxley (which covers accounting reform), HIPAA (Health Insurance Portability and Accountability Act, health care and privacy), GLB (Gramm-Leach-Bliley, financial privacy) Act and Basel 2 (banking), that may change. If laws like California SB1386--which requires the disclosure of security breaches any time personal information is exposed--gain traction nationwide, they will affect all enterprises.
SB1386's implications are tremendous: If 50,000 client records are exposed to identity theft and a class-action suit is filed, for example, there could be fines of several thousand dollars per affected party. That kind of blow could destroy some organizations.
Where to Begin
Understanding your company's potential liability is the first step toward developing a compliance-driven framework. Identify and rank your compliance drivers--perhaps Sarbanes-Oxley first, followed by SB1386.
Next, review existing applications and system processes, along with any planned infrastructure, application or merger initiatives. Consider how these will strengthen or weaken your compliance posture. Such a determination typically requires input from all areas of the business, including executive management, legal, human resources, business continuity/disaster recovery, IT, security and multiple business units.
Get the Complete Whitepaper here
Edward Smith is director of security solutions for Forsythe. Smith leads the company’s efforts in developing IT infrastructures that ensure a secure, recoverable, and available environment for business. To learn more about Forsythe, visit www.forsythe.com. To read more security articles or to learn more about Forsythe’s security solutions, visit http://www.forsythe.com/Forsythe/itriskman/security/index.jsp.
|
